Security & privacy
How brymbl protects your data — and your customers'.
Client data isolation
Every client runs in a separate workspace. Every query in the system is explicitly workspace-scoped, and the database defaults to full deny (RLS deny-by-default) — access happens only through our servers, never directly from the browser.
Models don't train on your data
We work with model providers (Anthropic, OpenAI, Google) through business APIs where the default is no training on customer data. Your site content and catalog are used solely to answer your customers.
Prices and stock — one source of truth
The agent doesn't "remember" prices. Every price, promotion and stock status is pulled live from your synced catalog, stamped with its last sync time. A question without an answer in the sources becomes a lead — not a guess.
Visitor privacy (Israel Privacy Law, Amendment 13)
Conversations and leads are personal data. We store them securely, delete them per an agreed retention policy, and provide a data processing agreement (DPA) to every client. The widget sets no tracking cookies — a conversation identifier only.
The widget can't break your site
The embed script loads asynchronously, wrapped in full error guards, with an instant per-client kill switch. If our service is ever down — your site keeps working as usual, unchanged.
Abuse protections
Rate limiting per visitor and per site, monthly conversation ceilings, an allowed-origins list per install, and hardening against prompt injection in crawled content — site content is treated as data, never as instructions.
Questions?
Happy to walk through a security questionnaire or provide a DPA — talk to us.